Comments on: Store login information in cookie using jQuery

By: Will

Will — Sun, 30 Aug 2009 16:50:43 +0000

Just wanted to say that I agree with the argument that storing usernames and passwords in cookies is not good practice, even if they are encrypted with something like md5.

If you’re using php a better way to authenticate would be to use sessions and have the server set a variable in the $_SESSION array. You might also want to set a initial login timestamp value in that array, as well as a “last action” timestamp, and write your security rules based on these.

Another way of doing security in an *AMP environment is to store that data in a database table (currently logged in users) and use the session key (which is stored in a cookie or can be appended to the url if cookies are off). This is the method that expression engine uses and is quite secure.

You can then set up your rules on the server side so users are prompted for passwords more or less frequently, according to the level of security you need.

By: Ben Baker

Ben Baker — Thu, 16 Jul 2009 12:01:10 +0000

Hey,

Been looking into this a bit more.

There’s a jQuery MD5 script here: http://www.semnanweb.com/jquery-plugin/md5.html

I think storing the encrypted MD5 password in the cookie then matching that to the password in the db via an MD5 comparison.

So as an example jQuery to PHP query:

jQuery:
// get user name and passwrord values
var user = $(“#user_name”).val();
var pwd = trim( $(“#user_pwd”).val() );

// make ajax call with data
$.ajax({
type: “POST”,
url: “login.php”,
data: ‘user=’+ user + ‘&pwd=’ + $.md5( pwd ),
success: loginResponse
});

php:

// get password from post vars
$pwd = mysql_real_escape_string( $_POST['pwd'] );

// query string – using sql md5()
$query = “SELECT `user_password` FROM `tbl_users `WHERE MD5( `user_password` ) = ‘”.pwd.”‘” ;

// now run query…

On a successful match you can then store you cookie data, storing the password as md5.

I think this is a good way to do it. :)

By: eisabai

eisabai — Wed, 15 Jul 2009 01:45:39 +0000

Hi Ben,
I agree it’s a good practice to encrypt cookies that contain sensitive information like username and password. Thank you for the link. :)

By: Ben Baker

Ben Baker — Tue, 14 Jul 2009 13:54:49 +0000

Hey eisabai,

That’s good to know regarding secure transmit of data, but as far as I understand it the cookie is stored locally, on the users machine, right?

So you are storing the users password unencrypted in a cookie, which can be accessed and viewed.

I was thinking more along the lines of MD5 cryptography for the password/string? see here: http://pajhome.org.uk/crypt/md5/

B ;)

By: eisabai

eisabai — Tue, 09 Jun 2009 02:35:15 +0000

Hi Ben,

You can set the secure flag for the cookies so they are only transmitted via secured connections (SSL).

For example:

$.cookie(‘username’, username, { expires: 14, secure: true });

By: Ben Baker

Ben Baker — Mon, 08 Jun 2009 19:37:27 +0000

Hey, thanks for the code!

Works a charm. Although isn’t it a bad idea to store the users password unprotected in a cookie?

Is there any encryption that can be applied?

B ;)

By: Nitin Sawant

Nitin Sawant — Mon, 18 May 2009 07:44:16 +0000

thanks a lot, it really helped me

By: Jeottelak

Jeottelak — Tue, 07 Apr 2009 18:14:07 +0000

mm… bookmarked )

By: Ben Chapman

Ben Chapman — Tue, 07 Apr 2009 01:52:59 +0000

Terrific!

Thanks for this.

By: eisabai

eisabai — Sat, 28 Mar 2009 10:10:04 +0000

No prob! Glad you got it sorted out.